On December 8th, Jake Karnes of NetSPI published a new post-exploitation technique and exploit code that takes advantage of aspects of the Kerberos authentication protocol. The Bronze Bit Ticket Attack (CVE-2020-17049) goes after the Service for User and Constrained Delegation Protocol (S4Uself and S4U2proxy) and will force a flag (the “Bronze Bit”) to change what would have been a non-forwardable service ticket to be forwardable. What this accomplishes is allowing the attacker to impersonate another user or service account.
Flag changes from NetSPI Blog
Analyst Notes
This exploit is another variation in a long line of attacks that have taken advantage of Kerberos in the past (Gold and Silver Ticket attacks). Microsoft has distributed a working patch for this vulnerability in November and has released an update in December. With the history that Kerberos has had with vulnerabilities such as CVE-2020-17049, organizations must watch for ways attackers can gain the necessary hashes through methods like Kerberoasting, DC Sync attacks, and SPN account creation through Powermad. Ingesting logs from Kerberos and incorporating continuous monitoring for these attacks can provide a critical advantage against attackers.
